CCIE Practical Studies, Volume I
< Free Open Study > |
Lab 29: Configuring Access Lists, Named Access Lists, and EIGRP Route Filters ”Part II
Lab Walkthrough
After completing the physical installation, you should establish IP connectivity among all the routers. At this point, don't be concerned about ping ing loopback addresses of the routers. There will be a routing loop until the filters are applied. Beginning with the fbi_router router, configure the IP addresses of Ethernet and two serial interfaces. Because you are configuring the DCE side of both links, be sure to include the clock rate command under the serial interface. Configure the state_patrol router first. When you can ping the serial interface of the fbi_hq router from the state_patrol router, configure EIGRP. Seeing individual subnets will be important, so you will need to add the no auto-summary command under EIGRP. To configure the state_patrol router as a route generator, use MS Notepad and make a file similar to the following: int loop 20 ip add 150.100.1.1 255.255.255.0 int loop 21 ip add 150.100.2.1 255.255.255.0 int loop 22 ip add 150.100.3.1 255.255.255.0 int loop 23 ip add 150.100.4.1 255.255.255.0 int loop 24 ip add 150.100.5.1 255.255.255.0 int loop 25 ip add 150.100.6.1 255.255.255.0 int loop 26 ip add 150.100.7.1 255.255.255.0 int loop 27 ip add 150.100.8.1 255.255.255.0 int loop 28 ip add 150.100.9.1 255.255.255.0 int loop 29 ip add 150.100.10.1 255.255.255.0 Cutting and pasting this text will be quicker than performing the manual key-ins. When you are finished and can see the routes on the fbi_hq router, proceed to configure the local_sheriff router in the same manner. When you are finished, the routing table of the fbi_hq router should appear like Example 14-11. Example 14-11 show ip route Command on fbi_hq Router
fbi_hq# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 150.10.0.0/24 is subnetted, 1 subnets C 150.10.1.0 is directly connected, Ethernet0 150.100.0.0/16 is variably subnetted, 12 subnets, 2 masks C 150.100.100.0/30 is directly connected, Serial0 C 150.100.101.0/30 is directly connected, Serial1 D 150.100.2.0/24 [90/2297856] via 150.100.100.1, 00:00:07, Serial0 [90/2297856] via 150.100.101.1, 00:00:07, Serial1 D 150.100.3.0/24 [90/2297856] via 150.100.100.1, 00:00:07, Serial0 [90/2297856] via 150.100.101.1, 00:00:07, Serial1 D 150.100.1.0/24 [90/2297856] via 150.100.100.1, 00:00:07, Serial0 [90/2297856] via 150.100.101.1, 00:00:07, Serial1 D 150.100.6.0/24 [90/2297856] via 150.100.100.1, 00:00:07, Serial0 [90/2297856] via 150.100.101.1, 00:00:07, Serial1 D 150.100.7.0/24 [90/2297856] via 150.100.100.1, 00:00:07, Serial0 [90/2297856] via 150.100.101.1, 00:00:07, Serial1 D 150.100.4.0/24 [90/2297856] via 150.100.100.1, 00:00:08, Serial0 [90/2297856] via 150.100.101.1, 00:00:08, Serial1 D 150.100.5.0/24 [90/2297856] via 150.100.100.1, 00:00:08, Serial0 [90/2297856] via 150.100.101.1, 00:00:08, Serial1 D 150.100.10.0/24 [90/2297856] via 150.100.100.1, 00:00:08, Serial0 [90/2297856] via 150.100.101.1, 00:00:08, Serial1 D 150.100.8.0/24 [90/2297856] via 150.100.100.1, 00:00:09, Serial0 [90/2297856] via 150.100.101.1, 00:00:09, Serial1 D 150.100.9.0/24 [90/2297856] via 150.100.100.1, 00:00:09, Serial0 [90/2297856] via 150.100.101.1, 00:00:09, Serial1 Notice that both route generators are advertising the same routes to the fbi_hq router. If you performed only a ping, you might be persuaded to believe that everything was okay. But performing a source trace from the Ethernet interface of the fbi_hq router shows that you have a routing issue. Example 14-12 lists the output from a source trace and ping. Example 14-12 trace and ping Commands from fbi_hq
fbi_hq# ping 150.100.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms fbi_hq# trace Protocol [ip]: Target IP address: 150.100.1.1 Source address: 150.10.1.1 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 150.100.1.1 1 150.100.100.1 4 msec 150.100.101.1 4 msec 150.100.100.1 8 msec Focusing on the state_patrol router, you need to write a named access list that will allow only the even subnets to be advertised to the fbi_hq router. These subnets would be 0, 2, 4, 6, 8, and 10 of the 150.100.0.0 network. If you wrote 1 through 10 in binary, you would have the following: 0000 0001 = 1 0000 0010 = 2 0000 0011 = 3 0000 0100 = 4 0000 0101 = 5 0000 0110 = 6 0000 0111 = 7 0000 1000 = 8 0000 1001 = 9 0000 1010 = 10 Notice that all the even subnets have a 0 in the first bit from the right. Therefore, tell the access list that the third octet must have a 0 in the first position. Example 14-13 shows how to configure the access list with these parameters. The wildcard mask is 0.0.254.255 because you want to match on the 0 in the first position on the third octet of the first part of the access list. Example 14-13 Named Access List to Allow Even Subnets
state_patrol(config)# ip access-list standard alloweven state_patrol(config-std-nacl)# permit 150.100.0.0 0.0.254.255 state_patrol(config-std-nacl)# exit state_patrol(config)# router eigrp 2001 state_patrol(config-router)# distribute-list alloweven out s0 state_patrol(config-router)# ^Z Moving on to the local_sheriff router, you need to perform a similar exercise. Here, you want to allow only the odd subnets to pass to the fbi_hq router. Using the same logic as for the access list in Example 14-13, put a 1 in the first position of the third octet of the source address of the access list. You can use the same wildcard mask, stating that the first bit must be 1 in the third octet, by using the mask of 0.0.254.255. Example 14-14 demonstrates the configuration of the local_sheriff router. Example 14-14 Named Access List to Allow Odd Subnets
county_sheriff(config)# ip access-list standard allowodd county_sheriff(config-std-na)# permit 150.100.1.0 0.0.254.255 county_sheriff(config-std-na)# exit county_sheriff(config)# router eigrp 2001 county_sheriff(config-router)# distribute-list allowodd out s0 county_sheriff(config-router)# ^Z county_sheriff# To test the final configurations, go to the fbi_hq router and perform a show ip route and source trace. Example 14-15 lists the output from the fbi_hq router. Notice that only the even subnets are being reported from 150.100.100.1 in through interface Serial 0. The odd subnets are now coming from 150.100.101.1 in through interface Serial 1. Example 14-15 show ip route and trace Commands on fbi_hq Router
fbi_hq# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 150.10.0.0/24 is subnetted, 1 subnets C 150.10.1.0 is directly connected, Ethernet0 150.100.0.0/16 is variably subnetted, 12 subnets, 2 masks C 150.100.100.0/30 is directly connected, Serial0 C 150.100.101.0/30 is directly connected, Serial1 D 150.100.2.0/24 [90/2297856] via 150.100.100.1, 00:01:35, Serial0 D 150.100.3.0/24 [90/2297856] via 150.100.101.1, 00:01:30, Serial1 D 150.100.1.0/24 [90/2297856] via 150.100.101.1, 00:01:30, Serial1 D 150.100.6.0/24 [90/2297856] via 150.100.100.1, 00:01:35, Serial0 D 150.100.7.0/24 [90/2297856] via 150.100.101.1, 00:01:30, Serial1 D 150.100.4.0/24 [90/2297856] via 150.100.100.1, 00:01:35, Serial0 D 150.100.5.0/24 [90/2297856] via 150.100.101.1, 00:01:30, Serial1 D 150.100.10.0/24 [90/2297856] via 150.100.100.1, 00:01:35, Serial0 D 150.100.8.0/24 [90/2297856] via 150.100.100.1, 00:01:35, Serial0 D 150.100.9.0/24 [90/2297856] via 150.100.101.1, 00:01:31, Serial1 fbi_hq# fbi_hq# trace Protocol [ip]: Target IP address: 150.100.1.1 Source address: 150.10.1.1 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 150.100.1.1 1 150.100.101.1 0 msec 0 msec * fbi_hq# Example 14-16 shows the complete configuration for the state_patrol, county_sheriff, and fbi_hq routers. Example 14-16 Complete Configurations for state_patrol, county_sheriff, and fbi_hq Routers
hostname state_patrol ! ip subnet-zero ! interface Loopback20 ip address 150.100.1.1 255.255.255.0 no ip directed-broadcast ! interface Loopback21 ip address 150.100.2.1 255.255.255.0 no ip directed-broadcast ! interface Loopback22 ip address 150.100.3.1 255.255.255.0 no ip directed-broadcast ! interface Loopback23 ip address 150.100.4.1 255.255.255.0 no ip directed-broadcast ! interface Loopback24 ip address 150.100.5.1 255.255.255.0 no ip directed-broadcast ! interface Loopback25 ip address 150.100.6.1 255.255.255.0 no ip directed-broadcast ! interface Loopback26 ip address 150.100.7.1 255.255.255.0 no ip directed-broadcast ! interface Loopback27 ip address 150.100.8.1 255.255.255.0 no ip directed-broadcast ! interface Loopback28 ip address 150.100.9.1 255.255.255.0 no ip directed-broadcast ! interface Loopback29 ip address 150.100.10.1 255.255.255.0 no ip directed-broadcast ! <<<text omitted>>> ! interface Serial0 ip address 150.100.100.1 255.255.255.252 no ip directed-broadcast ! <<<text omitted>>> ! router eigrp 2001 network 150.100.0.0 distribute-list alloweven out Serial0 no auto-summary ! ip access-list standard alloweven permit 150.100.0.0 0.0.254.255 _______________________________________________________________________ hostname county_sheriff ! ip subnet-zero ! interface Loopback20 ip address 150.100.1.1 255.255.255.0 no ip directed-broadcast ! interface Loopback21 ip address 150.100.2.1 255.255.255.0 no ip directed-broadcast ! interface Loopback22 ip address 150.100.3.1 255.255.255.0 no ip directed-broadcast ! interface Loopback23 ip address 150.100.4.1 255.255.255.0 no ip directed-broadcast ! interface Loopback24 ip address 150.100.5.1 255.255.255.0 no ip directed-broadcast ! interface Loopback25 ip address 150.100.6.1 255.255.255.0 no ip directed-broadcast ! interface Loopback26 ip address 150.100.7.1 255.255.255.0 no ip directed-broadcast ! interface Loopback27 ip address 150.100.8.1 255.255.255.0 no ip directed-broadcast ! interface Loopback28 ip address 150.100.9.1 255.255.255.0 no ip directed-broadcast ! interface Loopback29 ip address 150.100.10.1 255.255.255.0 no ip directed-broadcast ! <<<text omitted>>> ! interface Serial0 ip address 150.100.101.1 255.255.255.252 no ip directed-broadcast ! <<<text omitted>>> ! router eigrp 2001 network 150.100.0.0 distribute-list allowodd out Serial0 no auto-summary ! ip access-list standard allowodd permit 150.100.1.0 0.0.254.255 _______________________________________________________________________ hostname fbi_hq ! interface Ethernet0 ip address 150.10.1.1 255.255.255.0 ! interface Serial0 ip address 150.100.100.2 255.255.255.252 no fair-queue clockrate 2000000 ! interface Serial1 ip address 150.100.101.2 255.255.255.252 clockrate 2000000 ! <<<text omitted>>> ! router eigrp 2001 network 150.10.0.0 network 150.100.0.0 no auto-summary fbi_hq# |
< Free Open Study > |